podman: add --creds and --cert-dir to create/run

Add --creds flag to podman create and podman run commands to support
registry authentication during image pulling.

Without this flag, users must perform a separate `podman pull
--creds/--cert-dir` first and then remember to specify `--pull=never`.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

cmd/podman/common/create.go

@@ -529,8 +529,24 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 				"`Pathname` of signature policy file (not usually used)",
 			)
 			_ = createFlags.MarkHidden("signature-policy")
+
+			certDirFlagName := "cert-dir"
+			createFlags.StringVar(
+				&cf.CertDir,
+				certDirFlagName, "",
+				"`Pathname` of a directory containing TLS certificates and keys",
+			)
+			_ = cmd.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault)
 		}
 
+		credsFlagName := "creds"
+		createFlags.StringVar(
+			&cf.Creds,
+			credsFlagName, "",
+			"`credentials` (USERNAME:PASSWORD) to use for authenticating to a registry",
+		)
+		_ = cmd.RegisterFlagCompletionFunc(credsFlagName, completion.AutocompleteDefault)
+
 		createFlags.BoolVar(
 			&cf.Replace,
 			"replace", false,

cmd/podman/containers/create.go

@@ -384,6 +384,7 @@ func pullImage(cmd *cobra.Command, imageName string, cliVals *entities.Container
 		PullPolicy:       pullPolicy,
 		SkipTLSVerify:    skipTLSVerify,
 		OciDecryptConfig: decConfig,
+		CertDir:          cliVals.CertDir,
 	}
 
 	if cmd.Flags().Changed("retry") {
@@ -404,6 +405,15 @@ func pullImage(cmd *cobra.Command, imageName string, cliVals *entities.Container
 		pullOptions.RetryDelay = val
 	}
 
+	if cliVals.Creds != "" {
+		creds, err := util.ParseRegistryCreds(cliVals.Creds)
+		if err != nil {
+			return "", err
+		}
+		pullOptions.Username = creds.Username
+		pullOptions.Password = creds.Password
+	}
+
 	pullReport, pullErr := registry.ImageEngine().Pull(registry.Context(), imageName, pullOptions)
 	if pullErr != nil {
 		return "", pullErr

docs/source/markdown/options/cert-dir.md

@@ -1,5 +1,5 @@
 ####> This option file is used in:
-####>   podman artifact pull, artifact push, build, container runlabel, farm build, image sign, kube play, login, manifest add, manifest push, pull, push, search
+####>   podman artifact pull, artifact push, build, container runlabel, create, farm build, image sign, kube play, login, manifest add, manifest push, pull, push, run, search
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--cert-dir**=*path*

docs/source/markdown/options/creds.md

@@ -1,5 +1,5 @@
 ####> This option file is used in:
-####>   podman artifact pull, artifact push, build, container runlabel, farm build, kube play, manifest add, manifest push, pull, push, search
+####>   podman artifact pull, artifact push, build, container runlabel, create, farm build, kube play, manifest add, manifest push, pull, push, run, search
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--creds**=*[username[:password]]*

docs/source/markdown/podman-create.1.md.in

@@ -83,6 +83,8 @@ and specified with a _tag_.
 
 @@option cap-drop
 
+@@option cert-dir
+
 @@option cgroup-conf
 
 @@option cgroup-parent
@@ -113,6 +115,8 @@ and specified with a _tag_.
 
 @@option cpuset-mems
 
+@@option creds
+
 @@option decryption-key
 
 @@option device

docs/source/markdown/podman-run.1.md.in

@@ -102,6 +102,8 @@ and specified with a _tag_.
 
 @@option cap-drop
 
+@@option cert-dir
+
 @@option cgroup-conf
 
 @@option cgroup-parent
@@ -132,6 +134,8 @@ and specified with a _tag_.
 
 @@option cpuset-mems
 
+@@option creds
+
 @@option decryption-key
 
 #### **--detach**, **-d**

pkg/domain/entities/pods.go

@@ -266,6 +266,8 @@ type ContainerCreateOptions struct {
 	IsInfra              bool
 	IsClone              bool
 	DecryptionKeys       []string
+	CertDir              string
+	Creds                string
 	Net                  *NetOptions `json:"net,omitempty"`
 
 	CgroupConf []string

test/system/030-run.bats

@@ -2,6 +2,7 @@
 
 load helpers
 load helpers.network
+load helpers.registry
 
 # bats test_tags=distro-integration, ci:parallel
 @test "podman run - basic tests" {
@@ -1827,4 +1828,35 @@ EOF
     run_podman rm -f $c1name $c2name
 }
 
+# bats test_tags=networking,registry
+@test "podman run with --cert-dir" {
+    skip_if_remote "cert-dir option not working via remote"
+
+    test -n "$PODMAN_LOGIN_REGISTRY_PORT" || skip "registry not set up"
+
+    start_registry
+
+    image=localhost:${PODMAN_LOGIN_REGISTRY_PORT}/cert-dir-run-test-$(safename)
+
+    # First push an image to our test registry
+    run_podman push \
+               --cert-dir ${PODMAN_LOGIN_WORKDIR}/trusted-registry-cert-dir \
+               --creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \
+               $IMAGE $image
+
+    # Run without --cert-dir should fail (TLS verification error)
+    run_podman 125 run --rm \
+               --creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \
+               $image echo "this should fail"
+
+    # Run with --cert-dir should succeed (will pull the image)
+    run_podman run --rm \
+               --cert-dir ${PODMAN_LOGIN_WORKDIR}/trusted-registry-cert-dir \
+               --creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \
+               $image true
+
+    # Clean up, and it would fail if the $image was not pulled
+    run_podman rmi $image
+}
+
 # vim: filetype=sh